More NewsRenovating E-Mail With Identity in Mind

Renovating E-Mail With Identity in Mind

E-mail senders, ISPs and vendors take the first steps toward an overhaul of SMTP.

That email message may appear to be from PayPal or EarthLink, but is it really? To know for sure, email needs an identity verification system, and there’s a growing consensus among email senders and recipients that one should be developed.

The latest two proposals, which were released over the past few days, come from portal giant Yahoo and email infrastructure company IronPort Systems, which has a partnership with the Network Advertising Initiative’s Email Service Provider Coalition (ESPC). Both proposals are chiefly aimed at establishing a technical specification to allow email recipients to verify sender identity. The next step, many in the industry believe, would be to tie a reputation rating — something like a credit report — to that identity. But industry-watchers seem to agree getting beyond email’s anonymous nature should be the first step.

“The core issue with email is the lack of identity and the lack of accountability,” said Tom Gillis, senior VP of marketing at IronPort.

Yahoo’s proposed system, DomainKeys, is intended to ensure email communications are really from the domains listed in the sender field. This would allow email administrators to short-circuit messages from spammers and phishers . These scam artists often “spoof” , or use the domains and email addresses of, legitimate businesses to lend credibility to their missives and get unsuspecting recipients to open the email.

DomainKeys would also help ISPs and email providers like Yahoo, as well as enterprises, disavow email messages that misappropriate their domain names.

“By initially addressing identity through DomainKeys, we aim to knock down the first domino in the path to solving the authentication issue, ultimately decreasing the annoyance spam causes for our users,” said Brad Garlinghouse, VP of communication products at Yahoo.

Yahoo execs have submitted the proposal to industry leaders and colleagues at America Online, MSN and EarthLink. The big three portal players, all of which provide ISP service, earlier this year vowed to work together to fight spam. EarthLink later joined the so-called Spam Alliance. Yahoo said it plans to make the proposal document more widely available in the coming days.

DomainKeys’ approach combines public-key cryptography with the domain name system . The domain name owner, who presumably controls the email sent out using the domain name as a sender address, uses the private key to generate a digital signature that’s added to the header of every message that goes out. The owner also places the corresponding public key on his server.

When the message is received, the email system extracts the digital signature and the claimed sending domain. It then fetches the public key from the domain name owner’s server and determines whether the signature was generated by the corresponding private key — thereby verifying the sender’s relationship with the domain.

“It’s very good news,” said Margaret Olson, chief technology officer of Roving Software and co-chair of the ESPC technology committee, speaking of the Yahoo proposal. “The entire industry is coming to the conclusion that this is the type of solution that needs to be implemented.”

The ESPC itself had issued a more ambitious blueprint, called Project Lumos, back in September. Olson said everything in the Yahoo proposal was “completely consistent” with Lumos. Yahoo’s is more of a practical first-step plan, while Lumos is further reaching.

IronPort Systems has agreed with the ESPC to be one of the “federated registries” to track identity and reputation under the Lumos plan. But it, too, sees a need for a first, baby step.

That’s why IronPort this week released a proposal for SMTPi, which stands for Simple Mail Transfer Protocol with identity features added. Initially, SMTPi would use IP address-based whitelisting combined with extra identification codes in the header to declare the email’s campaign, sender, and email service provider.

Senders would have to record those extra identification elements in a central registry and include them in the headers of email messages they send. Receiving systems would look at the IP address of the last server sending the message — the only part of an email header that can’t be forged — and check to see if it’s present in the registry. If it is on the IP whitelist, the receiver will know to trust the campaign, sender, and email service provider codes.

The second phase in the SMPTi proposal has similar goals to Yahoo’s DomainKeys, though it goes about the domain authentication in a very different manner. Under SMPTi, domain owners specify, using the DNS, which IP addresses are allowed to send mail claiming to be from a given domain. Then, when recipients get mail they can check to see whether the IP address and the purported domain of the sender match. If they don’t, the recipient may want to discard the message.

The third stage, which bears the most resemblance to Project Lumos, involves the issuance of digital identity certificates and public-key encryption. Senders would digitally sign messages using their private key and embed a certificate in the header of each message. Using the sender’s public key, the receiver verifies the certificate and validates the message.

“The problem,” says IronPort’s white paper on the subject, “is that such a system would require a dramatic overhaul of the existing email infrastructure, requiring years before such a system becomes viable.”

Roving Software’s Olson predicts Yahoo’s and IronPort’s proposals are just the first among many that will be floated over the next few weeks. While the basic premises will be similar, said Olsen, “there’s going to have to be a lot of running around and making sure all the details are the same” before anything can be implemented. “Of course, there will be some balkanization. That’s one of the things you just have to get through.

“The network effect is so powerful,” she said, “once this begins to be adopted, it’s in everyone’s best interest to have the same protocols and the same details.”

Related Articles

The future of retail: How IoT is transforming the retail industry

Digital Transformation The future of retail: How IoT is transforming the retail industry

1w Diana Maltseva
GDPR: The role of technology in data compliance

Data & Analytics GDPR: The role of technology in data compliance

7m Clark Boyd
What companies can learn from the We-Vibe lawsuit about the Internet of Things

Legal & Regulatory What companies can learn from the We-Vibe lawsuit about the Internet of Things

1y Al Roberts
Has advertising arrived on Google Home?

Media Has advertising arrived on Google Home?

1y Al Roberts
Target is the top retail digital marketer, so why is it struggling?

Ecommerce Target is the top retail digital marketer, so why is it struggling?

1y Al Roberts
YouTube is "on pace to eclipse TV" thanks to savvy algorithm use

More News YouTube is "on pace to eclipse TV" thanks to savvy algorithm use

1y Al Roberts
YouTube is getting rid of 30-second unskippable pre-roll ads

Ad Industry Metrics YouTube is getting rid of 30-second unskippable pre-roll ads

1y Al Roberts
Is Twitter slowly dying?

More News Is Twitter slowly dying?

1y Al Roberts